Fortinet and Ivanti VPN customers are once again facing significant challenges as both vendors recently disclosed critical vulnerabilities in their products. These vulnerabilities require immediate attention from security teams, who are already grappling with existing bugs that have been actively exploited by cyber attackers.

Fortinet revealed a critical out-of-bounds vulnerability in its FortiOS SSL VPN technology, identified as CVE-2024-21762. This flaw allows an unauthenticated attacker to execute arbitrary code or commands on affected systems via malicious HTTP requests. The vulnerability affects multiple versions of FortiOS, and Fortinet has assigned a CVSS score of 9.6 on 10 to the flaw. Furthermore, Fortinet disclosed three other vulnerabilities on the same day, including a near-maximum-severity format string bug and two medium-severity flaws. While the other three vulnerabilities are not currently under exploit, they pose potential security risks.

This development comes at a time when organizations are working to patch two maximum-severity command injection bugs in Fortinet’s FortiSIEM that were disclosed earlier in February. Fortinet’s VPNs have been frequent targets for cyber attackers, making it all the more crucial for organizations to promptly address vulnerabilities that have the potential to be exploited. For instance, the US government recently warned against China-backed actors targeting US critical infrastructure using vulnerabilities in Fortinet products.

Meanwhile, Ivanti disclosed a critical vulnerability (CVE-2024-22024) in its Connect Secure and Pulse Secure technologies. The company described the flaw as an XML external entity issue, with a CVSS score of 8.3, allowing unauthenticated attackers access to restricted resources on affected systems. Despite the lack of evidence that attackers are actively exploiting this vulnerability, Ivanti customers are advised to address the issue promptly.

These disclosures come amidst ongoing efforts by organizations to address zero-day vulnerabilities that were previously disclosed by both Fortinet and Ivanti. The lag in patch availability for these vulnerabilities has led to mass exploitation attempts by threat groups. For example, customers who had applied patches for previous zero-day vulnerabilities and reset their devices do not need to reset them again after applying the patch for the new flaw. Similarly, customers who have not patched against the previous zero-days can apply the patch for the new vulnerability and be protected against the older ones as well, according to Ivanti.

It is evident that the cybersecurity landscape for VPN technologies remains complex and challenging. Organizations and security teams must remain vigilant and responsive to emerging vulnerabilities and threats in order to safeguard their critical infrastructure and sensitive data. The collaboration between vendors, security researchers, and customers is essential to rapidly identify, address, and mitigate these vulnerabilities as they are discovered. Security best practices, patch management, and ongoing monitoring of network infrastructure are crucial to protecting against potential exploitation of security vulnerabilities in VPN technologies.

Source link